Process control or industrial automation systems are used extensively to protect, control and monitor industrial processes in industrial plants for manufacturing goods, transforming substances, or generating power, for example, as well as to monitor and control extended primary systems like electric power, water or gas supply systems or telecommunication systems, including their respective substations. An industrial automation system generally has a large number of process controllers which are distributed in an industrial plant or over an extended primary system and communicatively interconnected via a communication system.
Substations in high and medium-voltage power networks include primary devices such as electrical cables, lines, bus bars, switches, power transformers and instrument transformers, which are generally arranged in switch yards and/or bays. These primary devices are operated in an automated way via a Substation Automation (SA) system. The SA system includes secondary devices, so-called Intelligent Electronic Devices (IEDs), which are responsible for protection, control and monitoring of the primary devices. The IEDs may be assigned to hierarchical levels, such as the station level, the bay level, and the process level, where the process level is separated from the bay level by a so-called process interface. The station level of the SA system includes an Operator Work Station (OWS) with a Human-Machine Interface (HMI) and a gateway to a Network Control Centre (NCC). IEDs on the bay level, which may also be referred to as bay units, in turn are connected to each other as well as to the IEDs on the station level via an inter-bay or station bus serving the purpose of exchanging commands and status information.
A communication standard for communication between the secondary devices of a substation has been introduced as part of the IEC 61850 standard entitled “Communication Networks and Systems In Substations”. For non-time critical messages, IEC 61850-8-1 specifies the Manufacturing Message Specification (MMS, ISO/IEC 9506) protocol based on a reduced Open Systems Interconnection (OSI) protocol stack with the Transmission Control Protocol (TCP) and Internet Protocol (IP) in the transport and network layer, respectively, and Ethernet as physical media. For time-critical event-based messages, IEC 61850-8-1 specifies the Generic Object Oriented Substation Events (GOOSE) directly on the Ethernet link layer of the communication stack. For very fast periodically changing signals at the process level such as measured analog voltages or currents, IEC 61850-9-2 specifies the Sampled Value (SV) service, which, like GOOSE, builds directly on the Ethernet link layer. Hence, the standard defines a format to publish, as multicast messages on an industrial Ethernet, event-based messages and digitized measurement data from current or voltage sensors on the process level.
With the introduction of IEC 61850, precise time synchronization over Ethernet-based networks for secondary devices in process control or substation automation systems has become a concern. As a replacement of the classical Pulse-Per-Second (PPS) signal, IEC 61850 recommends the use of the IEEE 1588 standard to achieve the degree of time synchronization required for critical data such as SV or trip signals. The IEEE 1588 standard can run in two modes. In a one-step-clock mode, a master clock sends a synchronization message and at the same time timestamps the message and inserts the timestamp in the content of the same message. In a two-step-clock mode, the timestamp is not carried directly in the synchronization message but in a follow-up message.
A further prominent aspect in substation automation is the increased importance placed on cyber-security. While the protocols defined by IEC 61850, such as 8-1 and 9-2, are covered by IEC 62351-6 to define the required security mechanisms, IEEE 1588 remains unprotected. One of the problems in securing IEEE 1588 is the inability to secure the protocol when using a one-step-clock approach. A two-step-clock is trivial to secure, whether with a symmetric or asymmetric scheme, since the synchronization message is a non-sensitive message that is never modified at all. On the other hand, a secured one-step clock approach requires securing the synchronization message on the fly (while being forwarded), and thus is almost impossible (for an asymmetric scheme) or impossible (for a symmetric scheme or for a 1 Gbit/sec network) to implement.
EP 2148473 relates to mission-critical or highly-available applications based on a ring-type communication network with a plurality of switching nodes and operating with full duplex links. A sender node that is connected over a respective first and second port to the communication network transmits pairs of redundant frames. For each frame to be sent on the ring network, a source and a duplicate frame are transmitted in opposite directions, where both frames are relayed by the other nodes of the ring network until they eventually return back to the originating sender node. As a consequence, network load is roughly doubled with respect to a conventional ring network, but the destination node will receive the data after a maximum transmission delay that equals the longest possible path of the ring. In the fault-free state, the destination node thus receives two redundant frames with the same contents. The redundant frames can be identified according to a Parallel Redundancy Protocol (PRP). Therefore, only the earlier or first frame of the two frames is forwarded to the upper layer protocols and the later or second frame is discarded. As the synchronization message and the follow-up message of a two-step-clock approach may take different paths or directions in HSR, use of a one-step-clock is preferred.
The paper “Practical Application of 1588 Security”, by Albert Treytl, Bernd Hirschler, IEEE International Symposium on Precise Clock Synchronization, September 2008, Ann Harbor, USA, proposes a way to implement a secure one-step-clock in which a static part of the synchronization message is hashed upfront. The timestamp is then produced and embedded in the message, following which the hash is completed rapidly on the remaining part of the message, i.e., the timestamp. The drawback of this approach is that it only allows a symmetric protection scheme which is less time consuming than the asymmetric one. Indeed, the operation is still done on the fly, i.e., hashing of the remaining part as well as signing, and is therefore time critical. Another drawback is the limitation of this approach to a 100 Mbit/sec network, since for a 1 Gbit/sec network the remaining hashing operations will not be completed on time.